b" REVIEW OF FAA\xe2\x80\x99S PROGRESS IN\nENHANCING AIR TRAFFIC CONTROL\n      SYSTEMS SECURITY\n     Federal Aviation Administration\n\n      Report Number: FI-2010-006\n     Date Issued: November 2, 2009\n\x0c           U.S. Department of\n                                                               Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Review of FAA\xe2\x80\x99s Progress                                  Date:    November 2, 2009\n           in Enhancing Air Traffic Control Systems Security\n           Report Number FI-2010-006\n\n  From:    Rebecca C. Leng                                                          Reply to\n                                                                                    Attn. of:   JA\xe2\x80\x9320\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Federal Aviation Administrator\n\n           This report presents the results of our review of FAA\xe2\x80\x99s renewed initiatives in\n           addressing air traffic control (ATC) systems security weaknesses discussed in our\n           FY 2007 audit report of the Department\xe2\x80\x99s information security program. 1 In that\n           report, we identified the need to implement an operational business continuity plan\n           (BCP) to ensure continued en route services 2 in the event of a long-term disaster.\n           We also identified the need to enhance the system security certification and\n           accreditation process across all air traffic control systems, not just the ones used to\n           support en route operations.\n\n           Homeland Security Presidential Directive (HSPD)\xe2\x80\x937 designates air traffic control\n           systems as part of the Nation\xe2\x80\x99s critical infrastructure, due to the important role\n           commercial aviation plays in fostering and sustaining the national economy and\n           ensuring citizens\xe2\x80\x99 safety and mobility. The Secretary of Transportation is\n           responsible for ensuring that air traffic control facilities, systems, and operations\n           are protected from significant disruption caused by man-made or natural events\n           and are able to resume essential services in a timely manner if disrupted, to\n           minimize the impact on the Nation\xe2\x80\x99s economy.\n\n\n\n           1\n               Audit of Information Security Program, DOT, OIG Report Number FI-2008-001, October 10, 2007. OIG\n               reports can be found on our Web site: www.oig.dot.gov.\n           2\n               The 22 en route centers (Air Route Traffic Control Centers, or ARTCCs) control aircraft at cruising\n               altitude (above 18,000 feet) in transit over the continental United States and out into the Atlantic and\n               Pacific oceans. Each center handles a different territory of airspace, passing control from one center to\n               another as respective borders are reached, until the aircraft begins to descend and is controlled by a\n               terminal radar approach control facility (TRACON) and airport control tower as it nears its destination.\n\x0c                                                                                  2\n\n\n\nTo fulfill the requirements of HSPD\xe2\x80\x937, the Federal Aviation Administration\n(FAA) must protect air traffic control systems with a two-pronged approach:\npreventing disruption wherever possible and minimizing disruptions when they do\noccur. Implementing a BCP for en route services and enhancing security reviews\nof all air traffic control systems are key to accomplishing these goals.\n\nOur objectives were to determine FAA\xe2\x80\x99s progress in correcting security\nweaknesses previously identified in the air traffic control system by assessing\n(1) the status of BCP implementation and (2) the enhanced methodology used in\nthe certification and accreditation of air traffic control systems security at\noperational sites. This performance audit was conducted in accordance with\ngenerally accepted government auditing standards prescribed by the Comptroller\nGeneral of the United States and included such tests as we considered necessary to\ndetect fraud, waste, or abuse. Details of our scope and methodology can be found\nin Exhibit A.\n\n\nRESULTS IN BRIEF\n\nFAA has designated the William J. Hughes Technical Center in Atlantic City as\nthe recovery site where operations would be resumed if any en route center\nbecame inoperable. It has made good progress in preparing the Technical Center\nto serve as the recovery site, such as establishing a duplicate en route system\nenvironment on-site and installing additional emergency power at the center. Yet\nseveral unresolved technical challenges, staffing issues, and funding requirements\ncould delay recovery site readiness. Beyond this, FAA has not assessed how\nactivating the recovery plan during an emergency would affect air travel and the\neconomy across the country\xe2\x80\x94a key concern in HSPD\xe2\x80\x937. Further, while FAA has\nenhanced the process of reviewing ATC systems security, the reviews were not\nproperly carried out to ensure security protection of operational ATC systems.\n\nStatus of BCP Implementation\n\nThe unresolved technical issues concern radar coverage and air-to-ground\ncommunications. While FAA has demonstrated the capability to use alternate\nmethods to redirect radar and communications signals from the affected en route\ncenter to the recovery site, it has not established that using alternate methods can\nmeet FAA\xe2\x80\x99s operational requirements to ensure safe air travel. Specifically, FAA\nplanned to use modems and regular telephone lines to transmit single-path radar\n\x0c                                                                                                          3\n\n\n\nsignals 3 to the recovery site; however, it did not test the integrity of this\ntransmission to ensure that signals cannot be lost or disrupted.\n\nFAA\xe2\x80\x99s testing of its ability to re-route communications signals also entailed a\nsignificant limitation\xe2\x80\x94it used the network connections and communications\nequipment in an en route center that was supposed to be out of service. According\nto FAA, it will have to work with local telephone companies to establish new\nconnections between field communications equipment and the recovery site.\nHowever, no detailed plan exists to implement this proposed action or to test\nwhether communications through these new connections can meet FAA\xe2\x80\x99s\nstringent latency requirement. 4 FAA needs to demonstrate that activating the\nrecovery site will not compromise the safety of air travel.\n\nThe recovery site cannot become operational without air traffic controllers on-site.\nFAA has created a database containing the names of all controllers and the\nairspace sectors in which they are certified to direct traffic. Should an en route\ncenter become nonfunctional, FAA will use this database to identify controllers\nqualified to direct traffic in the affected airspace. However, FAA has not\ndeveloped a plan to address related labor issues, including personnel relocation\nand temporary housing. Further, FAA has not performed a cost estimate for\ndeveloping a fully functional BCP, as required by FAA\xe2\x80\x99s Acquisition\nManagement System. Instead, FAA allocated $15 million to this development\neffort by reallocating funds from other parts of its operations. Developing a cost\nestimate based on the tasks that need to be completed is a basic project\nmanagement control. Without it, FAA cannot determine whether it has allocated\nadequate funds for implementing all tasks critical to continued en route services at\nthe recovery site, such as relocating air traffic controllers. FAA needs to develop a\nplan for relocating and housing air traffic controllers at the recovery site and\nconduct a credible cost estimate for implementing the BCP.\n\nFinally, under the current BCP, FAA pledges to restore 80 percent of any affected\nen route center\xe2\x80\x99s capabilities at the recovery site within 3 weeks of shutdown.\nHowever, FAA did not analyze the impact on air travel that would be caused by\nlosing an en route center for 3 weeks. The impact could vary significantly,\ndepending upon the affected en route center\xe2\x80\x99s traffic volume and the ripple effect\nof delays to other parts of the country. The loss of the New York or Chicago\ncenter, for example, would have a far greater impact than would the shutdown of\n\n3\n    More than 40 percent of long-range radars are single-path\xe2\x80\x94with connections to only one en route center.\n    Should the en route center become inoperable, it could no longer serve as a connection point between the\n    radar and other ATC facilities.\n4\n    Latency is defined as the total time required to successfully transmit a unit of information across two\n    network connection points. FAA requires that air-to-ground communications be completed within\n    milliseconds (one thousandth of a second).\n\x0c                                                                                                           4\n\n\n\nless busy centers. Without such analysis, the Secretary of Transportation will not\nbe able to inform the Administration and the Congress about the potential impact\non air travel\xe2\x80\x94and the economy\xe2\x80\x94if FAA had to activate BCP operations. FAA\nneeds to assess the potential impact and provide the results to the Secretary in\nsupport of HSPD\xe2\x80\x937.\n\nSecurity Certification Reviews\n\nFAA has enhanced the review process of ATC systems security in recent years by\nsending teams to ATC facilities to evaluate systems in operation\xe2\x80\x94directing air\ntraffic. This represents a significant improvement from the previous approach,\nwhich focused on reviewing security controls of the ATC (baseline) systems in the\ncomputer laboratory, but not the systems deployed to operational sites. 5 However,\nFAA has not followed its own procedures to ensure that operational sites at risk of\nhaving unauthorized system configurations are selected for evaluation. 6 Our\nreview of the site-selection methodology for five sample systems found only one\nfor which system configuration variance was reviewed in the site-selection\ndecision. A prior audit identified instances in which ATC systems were\nconfigured differently in the field than from the baseline system, resulting in\nsecurity vulnerabilities for ATC operations. Currently, FAA has no way of\nknowing whether its personnel selected the sites that did, in fact, pose the greatest\nsecurity risk for review. FAA needs to focus on reviewing system configuration\nvariances during site selection.\n\nFurther, the security reviews conducted at operational sites for our sample systems\nlacked examination and/or testing, and were incomplete. The review teams relied\nprimarily on interviews with system operators to develop conclusions on the\nadequacy of security controls. Further, 43 percent of security control items in our\nsample systems were not reviewed. As a result, FAA cannot rely on these reviews\nto detect and correct security vulnerabilities in operational ATC systems. FAA\ntherefore needs to better ensure the integrity and completeness of the security\nreviews conducted on operational ATC systems.\n\nOverall, despite FAA\xe2\x80\x99s progress over the past 2 years in implementing a BCP for\ncontinued en route services and expanding security evaluations of operational\nATC systems, additional action is needed to strengthen security protection and\nminimize the impact of long-term service disruption. Issues concerning the\n\n5\n    ATC (baseline) systems are developed and tested in the computer laboratory before being deployed to\n    operational sites. For example, the Host Computer is deployed to the 22 en route centers to support high-\n    altitude air traffic control operations.\n6\n    System configuration involves setting up hardware and/or software to meet one\xe2\x80\x99s particular needs, such\n    as changing factory-set defaults. In the case of FAA systems, hardware or software can be configured\n    one way in the computer laboratory, then altered in various ways to fit the needs of local installations.\n\x0c                                                                                   5\n\n\n\nsecurity of a critical national infrastructure should receive priority attention at a\ntime of increased threats from nation-state-sponsored cyber attacks. We made a\nseries of recommendations, beginning on page 14, to help FAA implement a fully\nfunctional BCP and strengthen its ability to protect operational ATC systems.\nFAA concurred with the recommendations. FAA\xe2\x80\x99s formal response is included in\nits entirety in the Appendix to this report.\n\n\nFINDINGS\n\nDespite Progress, the Designated Recovery Site Is Not Yet Fully\nReady to Provide Air Traffic Control Services in Case of\nEn Route Center Disaster, and Impact on Air Travel Has Not\nBeen Assessed\n\nSince 2007, FAA has made good progress in preparing the Technical Center to\nserve as the recovery site, by establishing a duplicate en route system environment\nand installing additional emergency power on-site. Yet unresolved technical\nchallenges, staffing issues, and funding requirements could delay recovery site\nreadiness. In addition, FAA has not assessed how activating the recovery site\nduring an emergency would affect air travel, threatening the Secretary\xe2\x80\x99s ability to\ninform the Administration and Congress of potential impact on the Nation\xe2\x80\x99s\neconomy, a key concern in HSPD\xe2\x80\x937.\n\nUnresolved Technical Challenges, Staffing Issues, and Funding\nRequirements Could Delay Recovery Site Readiness\n\n   Technical Challenges\n\n   \xe2\x80\xa2 Surveillance. This involves redirecting radar signals from the affected\n     en route center to the recovery site. Long-range radar facilities are very\n     important to air traffic controllers because they act as their eyes in the sky.\n     Currently, 44 percent (60 of 137) of all long-range radar facilities that feed\n     en route centers are single-path, meaning that the radar data are being fed\n     only to a single air traffic control facility. This is a problem because if the\n     en route center that receives the data is lost, the radar data cannot be easily\n     re-routed to the recovery site. While FAA has identified an alternate\n     method to transmit single-path radar signals, it did not test the integrity of\n     this transmission to ensure signals cannot be lost or disrupted.\n\n       As shown in Figure 1, dual-path radars can send signals to the backbone\n       network (Federal Telecommunications Infrastructure [FTI]) even if one\n\x0c                                                                               6\n\n\n\n   path is lost; once there, FAA has shown that the signal can be redirected\n   back to the recovery site during BCP operations. In contrast, the single-\n   path radars lack this redundancy; if the one path is lost, the radar signal\n   cannot reach FTI or, therefore, the recovery site.\n\n  Figure 1. BCP Mitigation Strategy for Single-path Radar\n\n\n\n\n     Source: OIG\n\n   FAA\xe2\x80\x99s planned strategy is to enable a backup modem on these radars and\n   send the data over existing telephone/facsimile lines back to the recovery\n   site. However, FAA did not test the integrity of this transmission to ensure\n   that signals will not be lost or disrupted. As a result, FAA has no assurance\n   that its current strategy can provide radar data sufficient to meet FAA\n   operational standards; this strategy may, then, endanger flight safety if\n   called upon to take over BCP activation.\n\n   Single-path radars are as important as dual-path, and sometimes cover areas\n   just as large. For example, a single-path radar facility in the Memphis\n   region is responsible for providing radar coverage to an area half the size of\n   the state of Mississippi. FAA must test the integrity of the planned use of\n   back-up modems and existing telephone/facsimile lines to re-route data\n   from single-path radars to the recovery site.\n\n\xe2\x80\xa2 Communications. Ground-to-air voice communications is a vital part of air\n  traffic control operations that must be fully operational and meet safety\n  requirements in order for the BCP to work in a live environment. This\n  involves re-routing voice communications signals from the affected\n  en route center to the recovery site. Major equipment involved in this area\n  includes radio towers used to receive and transmit voice communications,\n  which are connected to the voice switching equipment used at en route\n\x0c                                                                          7\n\n\n\nfacilities that enables controllers and pilots to communicate. FAA has\nmade good progress in preparing the recovery site with the necessary\nequipment, but faces challenges in the transmission of voice signals\nbetween the recovery site and radio sites.\n\nFAA has demonstrated its ability to redirect a ground-to-air voice channel\nfrom a remote radio facility used by the Memphis Center to the recovery\nsite. A controller at the recovery site was able to communicate with a pilot\nflying through Memphis Center airspace. However, the test did not\nsimulate realistic disaster conditions by bypassing the network connection\nand radio control equipment located at the Memphis Center. The test was\nalso limited in that it represented just one of the many voice channels that\nwill need to be redirected during actual BCP operations.\n\nAccording to FAA, the risk of affecting National Airspace System (NAS)\noperations is too great\xe2\x80\x94due to operational limitations in the existing\nen route air traffic control communications system equipment\xe2\x80\x94for\nsimulation testing. We understand FAA\xe2\x80\x99s concerns about not harming\nNAS operations. Nevertheless, the only way in which FAA can prove\noperational readiness of the recovery site is by conducting realistic\ncommunications testing that reflects the actual loss of an en route center.\nIn a similar situation in the late-1990s, FAA did perform simulation testing\non operational ATC systems to ascertain its readiness for the Year 2000\nconversion, and did not in any way affect ongoing NAS operations.\n\nFAA informed us that it will have to work with local telephone companies\nto establish new connections between field communications equipment and\nthe recovery site should an en route center become nonfunctional.\nHowever, no detailed plan exists to implement this proposed action or to\ntest whether communications through these new connections can meet\nFAA\xe2\x80\x99s stringent latency requirement (for speed of communications).\nWithout sufficient testing, FAA has no assurance that it could re-route\nhundreds of communications channels while still meeting operational\nrequirements for signal speed. FAA needs to develop a detailed plan\naddressing how it will install network connections between radio towers\nand the recovery site through the local exchange carrier during BCP\noperations, and conduct tests to ensure that communications through the\nnew connection can meet the latency (speed) requirements for air travel\nsafety.\n\x0c                                                                                   8\n\n\n\n  Staffing Issues\n\n   According to National Institute of Standards and Technology (NIST)\n   guidelines, having the right personnel available for BCP operations is a critical\n   process. FAA has made progress in the area of human integration by creating\n   a \xe2\x80\x9cready reserve\xe2\x80\x9d database that contains the names of available and qualified\n   air traffic controllers who could be called upon to serve during BCP\n   operations. However, FAA lacks a human integration plan to relocate and\n   house the required BCP staff, including the controllers who would need to be\n   relocated from their assigned en route centers to the recovery site. In the\n   absence of such a plan, FAA may not be able to activate the BCP in a timely\n   manner because the recovery site cannot become operational without qualified\n   air traffic controllers on-site. FAA needs to develop a plan to address human\n   integration issues such as relocating and housing air traffic controllers at the\n   Technical Center recovery site on a long-term basis.\n\n   Funding Requirements\n\n   FAA has not performed a cost estimate for implementing a fully functional\n   BCP that includes personnel relocation and temporary housing for staff, as\n   required by FAA\xe2\x80\x99s Acquisition Management System. Instead, it allocated\n   $15 million to the development effort by reallocating funds from other FAA\n   programs and projects. FAA has spent a little less than half of the allocated\n   funds, primarily to upgrade equipment at the recovery site. While it has about\n   $7.5 million remaining in the budget, there is no support or analysis showing\n   whether the remaining funds will be sufficient to resolve outstanding needs to\n   make the BCP fully functional, such as resolving the technical challenges\n   associated with radar and communications signals or relocating FAA\n   personnel. Developing a cost estimate based on the tasks that need to be\n   completed is a basic project management control. Without it, FAA cannot\n   determine whether it has allocated sufficient funds for implementing all tasks\n   critical to continued en route services at the recovery site. It needs, therefore,\n   to sufficiently analyze costs to implement all tasks critical to continued\n   en route services, and use such analysis to secure the funding necessary to\n   complete the business continuity plan.\n\n\nImpact on Air Travel from Activating the BCP Has Not Been Assessed\n\nNIST guidelines call for developing a business impact analysis\xe2\x80\x94a standard\nbusiness practice conducted prior to the development and construction of a\nbusiness continuity program. FAA\xe2\x80\x99s BCP estimates restoration of 80 percent of\n\x0c                                                                                                      9\n\n\n\nany affected en route center\xe2\x80\x99s capabilities within 3 weeks at the Technical Center\nrecovery site. However, the agency did not formally assess how the loss of each\nof the 22 en route centers for 3 weeks would affect NAS operations as a whole.\n\nLoss of air traffic control facilities has a proven negative effect on NAS\noperations, and especially on the airline industry. Such disruptions have resulted\nin a rippling, nationwide effect on flight cancellations and delays. For example, in\nlate 2007 the loss of the Memphis Center for 3 hours caused over 500 flight delays\nand cancellations throughout the region. In 2003 the loss of the San Diego\nTerminal Radar Approach Control facility for 35 hours resulted in over 700 flight\ncancellations and significant delays throughout the NAS.\n\nSince en route centers operate with varying levels of traffic, their losses would\naffect the NAS in different ways. Major en route centers such as New York,\nCleveland, Atlanta, and Chicago handle a tremendous volume of air traffic,\ncompared with smaller centers such as Seattle and Salt Lake City. A 2004 study\nby MITRE Corporation 7 suggested that airlines would lose $76 million a day if the\nNew York Center were closed (which did not include the economic impact of\ncascading flight delays across the country). 8 Without a center-by-center business\nimpact analysis, the Secretary would not be able to inform the Administration and\nthe Congress about the potential impact on air travel\xe2\x80\x94and the economy\xe2\x80\x94if FAA\nhad to activate BCP operations. To support HSPD\xe2\x80\x937, FAA needs to conduct a\nbusiness impact analysis for either individual en route centers or centers having\nthe greatest impact on the NAS.\n\n\nReview of Operational ATC Systems Security Is Inadequate to\nEnsure Proper Protection\n\nIn response to our past recommendations, FAA has enhanced the certification and\naccreditation process used to review and certify the adequacy of air traffic control\nsystems security deployed to operational sites. However, the process used lacks\nan effective way of selecting operational sites at risk of having unauthorized\nsystem configuration for security reviews. Past reviews have identified instances\nin which FAA system was configured differently in the field than from the\nbaseline system in the computer laboratory in order to meet the operational needs\nof different sites. These configuration variances have led to security weaknesses.\nIn addition, the security reviews conducted at operational sites lacked examination\n\n7\n    MITRE is a nonprofit organization that manages three Federally-funded research and development\n    centers, including, for FAA, the Center for Advanced Aviation System Development.\n8\n    Description of Limitations and Potential Mitigation Strategies for Ensuring National Airspace System\n    (NAS) Continuity of Operations: Provisional Findings, MITRE Corporation, July 2004.\n\x0c                                                                                                  10\n\n\n\nand testing to ensure proper implementation of security controls, and more than 40\npercent of the security controls in our sampled systems were not reviewed at all.\n\nOperational Sites at Risk of Having Unauthorized System Configuration\nWere Not Considered for Security Review\n\nFAA\xe2\x80\x99s site-selection methodology requires the security review team to look at\ninformation on four key aspects of the system\xe2\x80\x94security categorization, system\nenvironment, network connections, and configuration variances\xe2\x80\x94before selecting\noperational sites for review. Yet review teams did not perform an adequate\nanalysis of site-specific system configurations during the site-selection process to\ndetermine which operational locations were most likely to exhibit configuration\nvariances.\n\n\xe2\x80\xa2 Security Categorization. FAA systems are categorized by how critical a\n  system is in supporting FAA\xe2\x80\x99s mission. The categorization levels for ATC\n  systems range from low to moderate. Systems with a categorization of low are\n  usually nonmission-critical systems; systems with an overall categorization of\n  moderate are usually mission-critical.\n\n\xe2\x80\xa2 System Environment. ATC systems are grouped into one of three system\n  environments: NAS Operations, Mission Support, and Administrative.\n  Systems that operate in the NAS operational environment and also have a\n  security categorization of moderate are mission-critical and have a significant\n  impact on the performance of air traffic operations. Systems supporting the\n  mission support and administrative environments do not have as significant an\n  impact on air traffic operations.\n\n\xe2\x80\xa2 Network Connections. The likelihood that a cyber threat may be directed\n  against a system is based on that system\xe2\x80\x99s exposure level to the threat. A\n  system\xe2\x80\x99s network interface defines the connectivity and communications\n  protocol, which are critical to assessing the risk of a cyber threat. Network\n  interfaces are categorized into one of six groups. 9 The Internet/Extranet\n  Internet Protocol (IP) environment has the highest risk of all system network\n  connections.\n\n\xe2\x80\xa2 Configuration Variances. System configurations are established before\n  deployment to the field. Most system configuration differences occur in order\n  to meet the operational requirements that vary at each site. Since configuration\n  differences may affect a system\xe2\x80\x99s security posture, FAA requires that sites be\n\n9\n    NAS IP, Admin/Mission Support IP, Internet/Extranet IP, Closed System IP, Non-IP, and None.\n\x0c                                                                                   11\n\n\n\n    visited where system configuration differences exist, and checked to ensure\n    that no security vulnerabilities have been inadvertently introduced.\n\nSecurity categorization, system environment, and network connections often\nremain the same for a system deployed to all installation sites. While these are\nimportant criteria for determining how many installation sites should be visited,\nthey do not directly help with site selection. Instead, it is the last criterion,\nconfiguration variances, that is key to identifying high-risk installation sites. This\nmakes the evaluation of configuration variances a key step in selecting specific\noperational sites for review, which is critical because some air traffic control\nsystems are deployed to hundreds of operational sites. To determine the number\nof and specific site locations to be visited, the security review team relies on\nsystem owners to provide documentation and discussion of these key aspects\nduring the site-selection-determination process.\n\nIn reviewing the process and documentation of the site-selection methodology for\nfive sample systems, we found evidence that only one system\xe2\x80\x99s configuration\nvariance was reviewed or discussed to identify where differences between the\nlocal system and the baseline system might exist. Additionally, FAA was not able\nto provide justification for site locations chosen for security review (see Table 1).\n\n\n       Table 1. Documentation of FAA Site-Selection Process\n\n                                                Configuration        Justification of\n                                       Sites      Variance            Site Selection\nSystem Namea        Total Sites    Reviewed     Documented?          Documented?\nADAS                         23            4         No                     No\nARTS III                      5            3         No                     No\nASOS                       885             5         Yes                    No\nOASIS                        19            4         No                     No\nWMSCR                         3            3         No                    Yes\na\n Full system names can be found in Exhibit A.\nSource: OIG\n\nDetailed analysis of system site configurations is an important step in choosing at-\nrisk systems for review, as well as in justifying the selection. Without a proper\nanalysis of systems\xe2\x80\x99 local configurations, FAA is not able to select, for security\nreview, the sites that are at the greatest risk\xe2\x80\x94the ultimate goal of this process.\n\x0c                                                                                                 12\n\n\n\nA previous audit 10 uncovered unauthorized system configurations being added to\noperational air traffic control systems to meet local operational needs, without\ncentral management\xe2\x80\x99s knowledge. These unauthorized system configurations\nmade air traffic control systems vulnerable to attack\xe2\x80\x94both from inside and\noutside. In FY 2006, FAA\xe2\x80\x99s Alaska Region experienced such an attack, which\nprevented aeronautical information such as required flight data needed to support\nvarious flight services from being transmitted and received. This attack was\nfacilitated by a vulnerable system on the network that had an unauthorized system\nconfiguration. The attack forced FAA to manually provide flight information to\npilots flying in that region.\n\nTo eliminate such risks and prevent similar disruption, FAA needs to enhance the\nselection process to include a more thorough review of system configurations.\nFAA should also require the selection team to document the outcomes of the site-\nselection process, including which specific sites were selected and for what\nreasons.\n\n\nSystems Security Reviews at Operational Sites Lacked\nExamination/Testing and Were Incomplete\n\nFAA review teams conduct security reviews of operational ATC systems by using\nstandard security questionnaires that are developed based on the security\nrequirements identified in NIST Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems. The questionnaires typically\ncontain from 96 to over 200 security questions, depending on the security\ncategorization rating of the system. We found that the security reviews conducted\nat operational sites lacked examination and testing, and provided inadequate\ncoverage for security checks. As a result, FAA cannot rely on these security\nreviews to ensure adequate security protection in operational ATC systems.\n\n       Lack of Examination and Testing\n\n       To assess the adequacy of the implementation of security controls, NIST\n       Special Publication 800-53A, Guide for Assessing the Security Controls in\n       Federal Information Systems, provides three methods of review: examination,\n       interview, and testing. NIST 800-53A states that reviewers should, at a\n       minimum, conduct examination-type reviews on each of the controls and use\n       interview- and testing-type reviews to provide further assurance of proper\n\n\n10\n     Audit of Security and Controls over En Route Center Computer Systems, OIG Report Number FI-2004-\n     078, August 9, 2004.\n\x0c                                                                              13\n\n\n\nimplementation of a security control. We found little examination and/or\ntesting conducted at operational sites.\n\n\xe2\x80\xa2 Examination: This is the process of physically reviewing, inspecting, or\n  observing security controls to ensure security controls have been properly\n  implemented.\n\n\xe2\x80\xa2 Interview: This is the process of conducting discussions with individuals\n  concerning the posture of the systems security controls.\n\n\xe2\x80\xa2 Testing: This is the process of exercising the control under specified\n  conditions and comparing the actual outcome against expected outcomes.\n\nNIST guidance states that security control assessments are the principal vehicle\nused to verify that information systems are meeting their stated security goals\nand objectives. It further stresses that these assessments are not about\nchecklists, simple pass-fail results, or paperwork to pass inspections or audits.\n\nWhile review teams documented their conclusions on the questionnaires\xe2\x80\x94\nwhether specified controls worked or not\xe2\x80\x94they did not specify the methods\nused in developing their conclusions. During one security review, OIG staff\nobserved that FAA reviewers relied primarily on interviews with system\noperators in developing their conclusions, with limited examination and no\ntesting of security controls in operational ATC systems. Specifically, the\nreview team conducted interviews with an individual or a small group of\nindividuals familiar with the system. Further observation revealed only limited\nexamination-type reviews in the field, which included simply basic checks of\nuser settings and the system\xe2\x80\x99s hardware connections. This happened because\nFAA\xe2\x80\x99s training for those assessing the systems did not address the importance\nof examination or testing.\n\nWith such a high reliance on interviews and little assurance from examination-\nand test-type reviews, FAA is unable to adequately ensure that minimum\nrequired security controls are in place to protect air traffic control systems.\nSuch superficial reviews can prevent FAA from identifying vulnerabilities that\ncould expose the ATC system to unauthorized access.\n\nIncomplete Review of Security Controls\n\nOur review of 21 questionnaires completed for 5 ATC systems found that more\nthan 40 percent of the security controls on FAA\xe2\x80\x99s questionnaires were not\nreviewed. In examining 5,035 individual control questions, we found that\n\x0c                                                                               14\n\n\n\n  2,174 were left blank\xe2\x80\x9443 percent\xe2\x80\x94with no justification for the lack of\n  coverage (see Table 2).\n\n         Table 2. Results of Review of FAA Questionnaires\n                         for Five Systems\n\n                                                       Total\n                        Number of         Total   Number of    Percentage\n                    Questionnaires   Number of      Security   of Security\n       System          Completed/      Security   Questions     Questions\n       Name                System    Questions    Left Blank    Left Blank\n       ADAS                      6       1,302           512          39%\n       ARTS III                  2         712           268          37%\n       ASOS                      8       1,519           740          48%\n       OASIS                     2         434           214          49%\n       WMSCR                     3       1,068           440          41%\n         Total                  21       5,035         2,174          43%\n      Source: OIG\n\n  On two questionnaires, more than 70 percent of security controls, including\n  critical access control and software change control, were not reviewed\xe2\x80\x94again\n  without justification. As a result, FAA cannot rely on these security reviews to\n  ensure adequate security protection of operational ATC systems. This resulted\n  from weak oversight of these reviews.\n\nFAA needs to strengthen its on-site review procedures to ensure complete\ncoverage of security checks and examination and testing to ensure that required\nsecurity controls are in place.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Federal Aviation Administrator direct the Chief\nOperating Officer of the Air Traffic Organization and the FAA Chief Information\nOfficer to:\n\nEn Route Business Continuity Plan\n\n1. Conduct testing to ensure that radar signals will not be lost or disrupted when\n   using modems and telephone/fax lines to send radar data to the recovery site.\n2. (a) Develop a detailed plan addressing how FAA will install network\n   connections between radio towers and the recovery site through the local\n   exchange carrier during BCP operations, and (b) conduct tests to ensure that\n\x0c                                                                                 15\n\n\n\n   communications through the new connection can meet the latency (speed)\n   requirements for air travel safety.\n3. Develop a plan to address human integration issues such as relocating and\n   housing air traffic controllers at the Technical Center recovery site on a long-\n   term basis.\n4. Conduct a credible cost estimate for testing the integrity of the alternate\n   methods of re-routing radar and voice communication signals to the recovery\n   site, and addressing human integration issues at the recovery site. Use such\n   analysis to secure funding accordingly to complete the business continuity\n   plan.\n5. Assess the potential impact on air travel of losing each, or at least the most\n   critical, en route centers for 3 weeks, and provide the results to the Secretary\n   of Transportation in support of HSPD\xe2\x80\x937.\n\n\nAir Traffic Control System Security Review\n\n6. Enhance the site-selection process by requiring (a) thorough reviews of site-\n   system configuration to ensure that sites that pose the greatest risk of\n   unauthorized hardware/software configurations are selected for review and (b)\n   documented justification for the sites selected for review.\n7. Enhance training on on-site review by requiring review teams to conduct\n   examination and/or testing to verify that required security controls are in place\n   at operational sites.\n8. Increase oversight of the on-site review process to ensure that all security\n   control checks on the questionnaires are completed or properly justified if not\n   reviewed.\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nWe provided FAA a draft of our report on July 20, 2009, and received its written\ncomments on October 14, 2009. In its comments, FAA concurred with our\nrecommendations and has begun to take appropriate or alternative corrective\nactions and provided acceptable target dates for completing these actions.\n\nWhile FAA concurred with all of our recommendations, it informed us that there\nare some limitations in addressing recommendation 5\xe2\x80\x94to assess the potential\nimpact on air travel if an en route center was disrupted for 3 weeks. To address\n\x0c                                                                              16\n\n\n\nthis recommendation, FAA plans to prepare for each ARTCC (1) a list of the\nairports with commercial airlines, and (2) the number of air traffic operations\nconducted, on average, during a 3-week period. According to FAA, however, its\nassessment may be limited due to the lack of information on other factors that\nwould affect the impact\xe2\x80\x94such as airlines\xe2\x80\x99 plans to change their bases of\noperations in the event of a major disruption. FAA notes that it is unlikely that\nairlines would voluntarily provide this strategic information.\n\nWe agree that the list FAA plans to compile will provided needed information to\nconduct its impact assessment. However, the list alone may not allow the\nSecretary to meet HSPD\xe2\x80\x937 requirements to inform the Administration and\nCongress of the potential impact on air travel and the economy when activating\nBCP operations. Accordingly, we encourage FAA and the Secretary\xe2\x80\x99s office to\nwork with airlines to develop a comprehensive impact analysis. FAA\xe2\x80\x99s formal\nresponse is included in its entirety in the Appendix to this report.\n\n\nACTIONS REQUIRED\n\nFAA\xe2\x80\x99s actions taken and planned are responsive to our recommendations and are\nconsidered resolved. These actions are subject to follow-up provisions in\nDepartment of Transportation Order 8000.1C. We appreciate the courtesies and\ncooperation of FAA representatives during this audit, especially those at the\nWilliam J. Hughes Technical Center in Atlantic City. If you have any questions\nconcerning this report, please call me at (202) 366-1407 or Nathan Custer,\nProgram Director, at (202) 366-5540.\n\n\n                                        #\n\ncc: Chief Information Officer, DOT\n    Assistant Administrator for Information Services/\n      Chief Information Officer, FAA\n    Chief Operating Officer, ATO\n    Martin Gertel, M-1\n    Anthony Williams, ABU-100\n\x0c                                                                                  17\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\n\nOur objectives were to determine FAA\xe2\x80\x99s progress in correcting security\nweaknesses previously identified in the air traffic control system by assessing (1)\nthe status of the BCP and (2) the methodology used in the certification and\naccreditation of air traffic control systems security at operational sites.\n\nTo achieve our objectives, we attended monthly progress briefings with\nDepartment of Transportation and FAA Chief Information Officers, along with\nFAA senior management representing the Air Traffic Organization\xe2\x80\x99s (ATO) BCP\nprogram and the Information Systems Security Manager (ISSM) Organization.\nWe reviewed the BCP concept of operations to understand the scope of the BCP.\nWe held meetings with personnel representing the work groups of the BCP\nprogram and reviewed technical requirements documents to determine the status\nand progress of the program. We conducted a tour of the recovery facility at the\nTechnical Center and observed demonstrations of rerouting both radar and voice\ncommunications signals. We examined the human integration program and\nprogram funding documents.\n\nWe interviewed ATO ISSM officials and reviewed documents to determine the\neffectiveness of their site-selection methodology of the certification and\naccreditation process. We visited the Minneapolis en route center to observe the\nactual efforts that took place during the security review. In addition, we attended a\nworkshop sponsored by the ATO to determine what was being done to educate\nand train security review teams. We examined security review results of the\nfollowing selected systems to determine the adequacy of reviews performed:\n\n\xe2\x80\xa2 Automated Weather Observation System Data Acquisition System (ADAS)\n\xe2\x80\xa2 Automated Radar Terminal System (ARTSIII)\n\xe2\x80\xa2 Automated Surface Observing System (ASOS)\n\xe2\x80\xa2 Operational and Supportability Implementation System (OASIS)\n\xe2\x80\xa2 Weather Message Switching Center Replacement (WMSCR).\n\n\nWe performed our audit work from October 2007 through May 2009. We\nconducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                  18\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                              Title\n\nNathan Custer                     Program Director\n\nMitchell Balakit                  Senior Information Technology\n                                  Specialist\n\nChristopher Cullerot              Information Technology\n                                  Specialist\n\nMichael P. Fruitman               Writer-Editor\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c                                                                                                    19\n\n\n\nAPPENDIX. AGENCY COMMENT\n\n                       Federal Aviation\n                       Administration\n\nMemorandum\nDate:            October 14, 2009\nTo:              Rebecca C. Leng, Assistant Inspector General for Financial and Information\n                 Technology Audits\n\nFrom:            Ramesh K. Punwani, Assistant Administrator for Financial Services/CFO\n\nPrepared by:     Anthony Williams, x79000\nSubject:         OIG Draft Report: Follow-up Review of FAA\xe2\x80\x99s Progress in Enhancing Air Traffic\n                 Control Systems Protection\n\nThank you for the opportunity to review and comment on the findings and recommendations of the\nsubject draft report dated July 20. The Federal Aviation Administration (FAA) concurs with all\nrecommendations. The following is FAA\xe2\x80\x99s response to each recommendation.\n\nOIG Recommendation 1: Conduct testing to ensure that radar signals will not be lost or disrupted\nwhen using modems and telephone/fax lines to send radar data to the recovery site.\n\nFAA Response: Concur. This method of testing was performed during several demonstrations that\noccurred between August 8, 2007, and September 25, 2008, and resulted in no lost or disrupted radar\nsignals. It is almost identical to the way FAA receives data today. The only difference is FAA will\nuse regular telephone lines instead of leased lines. Currently, FAA is using dial-up lines in a number\nof its air route traffic control centers (ARTCC) as backup for radar data connectivity.\n\nOIG Recommendation 2: (a) Develop a detailed plan addressing how FAA will install network\nconnections between radio towers and the recovery site through the local exchange carrier during\nbusiness continuity plan (BCP) operations, and (b) conduct tests to ensure that communications\nthrough the new connection can meet the latency (speed) requirements for air travel safety.\n\nFAA Response 2(a): Concur. FAA's detailed plan on BCP operations is contained in its External\nCommunications Activation Plan and Harris playbook, issued March 16, 2009 and December 9, 2008,\nrespectively. The plan was assessed during the table top exercises in January 2009 and determined to\nbe sufficient by the test team. This plan is available for the Office of Inspector General\xe2\x80\x99s (OIG)\nreview upon request.\n\nAppendix. Agency Comments\n\x0c                                                                                                      20\n\n\n\nFAA Response 2(b): Concur. FAA tested redirecting a communications circuit from Memphis\ncenter to the Spare ARTCC (SPARTCC) and found there is no difference between re-routing the\ncommunication circuit at the ARTCC (i.e., this is how it was accomplished during the demonstration)\nversus re-routing it at the local carrier within the Federal Telecommunication Infrastructure cloud.\nFAA\xe2\x80\x99s way of testing proved that re-routing can be done without any latency issues.\n\nOIG Recommendation 3: Develop a plan to address human integration issues such as\nrelocating and housing air traffic controllers at the Technical Center recovery site on a long-\nterm basis.\n\n\nFAA Response: Concur. The air traffic controllers\xe2\x80\x99 union contract states that under conditions such\nas a BCP event, personnel may be required to relocate their duty station. Additionally, the BCP\nactivation plans cover how FAA will relocate field personnel and provide them housing. These plans\nwere completed in March and are available for the OIG\xe2\x80\x99s review upon request.\n\nOIG Recommendation 4: Conduct a credible cost estimate for testing the integrity of the alternate\nmethods of re-routing radar and voice communication signals to the recovery site, and addressing\nhuman integration issues at the recovery site. Use such analysis to secure funding accordingly to\ncomplete the business continuity plan.\n\nFAA Response: Concur. The necessary infrastructure to convert the labs is in place, the activation\nplans are issued, and all readiness assessments and demonstrations have been completed. The BCP\nprogram will officially declare the SPARTCC \xe2\x80\x9cactivation ready\xe2\x80\x9d once the Service Level Agreement\n(SLA) and the NAS Change Proposal (NCP) for Internet Protocol (IP) radar have been signed. The\nSLA and NCP serve as the basis of FAA\xe2\x80\x99s funding requests. The SLA has been signed and the NCP\nwill be signed by October 31, 2009.\n\nOIG Recommendation 5: Assess the potential impact on air travel of losing each, or at least the\nmost critical, en route centers for 3 weeks, and provide the results to the Secretary of Transportation in\nsupport of the Homeland Security Presidential Directive (HSPD)\xe2\x80\x937.\n\nFAA Response: Concur. The 2004 MITRE study included information on the \xe2\x80\x9cPotential Revenue\nLoss to Air Carriers Due to ARTCC Outage Scenarios\xe2\x80\x9d showing the results for each ARTCC. FAA\ndoes not see added value in further analysis above what MITRE concluded in its 2004 report. The\nrange is over $40 million per day for New York Air Route Traffic Control Center to over $5 million\nper day for the Salt Lake Center Air Traffic Control. Clearly, the service impacts vary with the\nvolume of traffic and the national and seasonal flows. Additionally, the FAA will provide the OIG\nwith a list of airports (with commercial airlines) that underlie each ARTCC, and a total number of air\ntraffic operations that each of those ARTCC\xe2\x80\x99s conducts, on average, during a three-week period. This\ninformation will be provided by November 30, 2009.\n\nOIG Recommendation 6: Enhance the site-selection process by requiring (a) thorough reviews of\nsite-system configuration to ensure that sites that pose the greatest risk of unauthorized\nhardware/software configurations are selected for review and (b) documented justification for the sites\nselected for review.\n\nAppendix. Agency Comments\n\x0c                                                                                                       21\n\n\n\nFAA Response: Concur. Since fiscal year (FY) 2007, the Air Traffic Organization (ATO) has\nenhanced the Certification and Authorization (C&A) Level of Effort (LOE) process to better identify\nand justify site-selection. FAA has been discussing methodology with the OIG for selecting specific\nsites and the number of sites for each system undergoing C&A. This methodology is described in the\nfollowing paragraphs.\n\nThe LOE process requires that the System Owner submit an LOE Briefing and System\nCharacterization document prior to scheduling field site visits for that system. The information\nrequired provides technical details on the system architecture and operating environments, and\nincludes configuration variances that may exist at certain sites, based on the System Owner Program\nOffice, and their support organizations when appropriate. The LOE Briefing has a specific section\nthat requires detailed information on system configuration differences and locations where the\nconfiguration differences may exist. The ATO Information System Security (ISS) Program reviews\nboth documents and identifies specific sites that are tagged as \xe2\x80\x9cmust be visited\xe2\x80\x9d sites. In addition, the\nobjective of selecting an adequate number of representative sites must be met for each system.\nTypically, there is a minimum of three operational sites that must be visited for all systems, unless a\nsystem has less than three fielded locations. This objective of a minimum of three sites is\nimplemented even for systems that are deployed with the same standard configuration baseline. For\nexample, if a system is operating at 20 ARTCCs, then a minimum of three ARTCCs must be visited to\nobtain an adequate representative sample, even though the systems have the same configuration\nbaseline. There is also a conscious effort to distribute the site visits across multiple facilities for\nsystems being recertified, so that different facilities are selected for the current year, as compared to\nthe last C&A site visits (typically three years earlier). This approach provides a broader site visit\nsampling spreading across different C&A years. So visits in FY 2010 for a specific system will\nintentionally pick different sites than those selected in FY 2007, unless there are specific reasons to\nrevisit the same facility for that system (i.e., certain facilities tend to be used as a \xe2\x80\x9ckey site\xe2\x80\x9d for\nimplementing technology/functionally upgrades, prior to making the changes at other sites for that\nspecific system).\n\nAdditionally, the ATO LOE process requires mandatory visits to sites where systems are configured\ndifferently from the standard system configuration baseline to assess the risk of the different\nconfigurations at specific sites. For example, if a system is deployed to 20 ARTCCS and one of the\nsystems has a significantly different configuration than the other 19 (e.g., hardware, software,\ninternal/external connectivity), then that site with the different configuration must also be audited in\naddition to the minimum three site visits.\n\nSystem sites are also selected based on the facility type where the system is deployed to assess the risk\nof systems deployed in different operating environments. For example, systems that may be deployed\nin both the En Route (e.g., ARTCCs) and Terminal [e.g., Terminal Radar Approach Control\n(TRACON) facilities] environment must include site visits to both En Route and Terminal facilities to\nassess the system risk in those operating environments.\n\nMandatory site visits and justification are documented in the Risk Assessment Site Survey Plan and\nthe System LOE Determination, which is developed each Fiscal Year for every ATO system that is\nscheduled to complete C&A.\n\n\nAppendix. Agency Comments\n\x0c                                                                                                     22\n\n\n\nResults of the LOE Determination are emailed by the ATO ISS Program to the Independent Risk\nAssessment and Test Team (IRAT) and System Owner, including a copy of the System Site Survey\nPlan. After the LOE Determination is transmitted, further discussions occur between the IRAT and\nthe System Owner organization to validate the system configuration baseline and possible\nconfiguration differences that may be fielded. If configuration differences are identified after the LOE\nDetermination, the ATO ISS Program is notified and the System LOE Determination is modified to\ninclude mandatory site visits to the sites where configuration differences exist.\n\nOIG Recommendation 7: Enhance training on on-site review by requiring review teams to conduct\nexamination and/or testing to verify that required security controls are in place at operational sites.\n\nFAA Response: Concur. FAA has completed implementation of this recommendation as described\nbelow.\n\nThe ATO security operating environment is very complex, with hundreds of systems, thousands of\nmanned and unmanned facilities, operations, and management processes sprawling across 50 states\nand international borders. Understanding how to properly apply risk analysis and security testing\nprocesses across the ATO environment is equally complex and must take into account several key\naspects.\n\nThe first key aspect is that the ATO consists of three distinct operating environments \xe2\x80\x93 NAS, Mission\nSupport, and Administrative. The NAS environment includes systems that directly support safety-\ncritical Air Traffic Control (ATC) services. Because of the safety critical nature of the NAS\nenvironment, NAS systems must be protected and operate at higher information assurance levels than\nMission Support and Administrative systems. Mission Support systems indirectly support the conduct\nor management of ATC operations and do not impact safety of ATC operations. Administrative\nsystems support the provision of routine ATO administrative services, such as email. Mission\nSupport and Administrative systems have a completely different operations, management, and\nmaintenance infrastructure than NAS systems. Additionally, there are major differences in the\napplication of security controls and processes for conducting risk assessment and testing in each\nenvironment.\n\nThe second key aspect in ATO is the separation of NAS systems operating environment from the\nMission Support/Administrative systems operating environment. Separation is provided through the\nuse of two network infrastructures that are physically and logically isolated, as follows:\n\n\xe2\x80\xa2   NAS Operations (Ops) IP Network\n\xe2\x80\xa2   Mission Support/Administrative IP Network.\n\nThe physical and logical separation of the NAS and Mission Support and Administrative networks is a\ncritical factor in ensuring that NAS systems can continue to provide a high level of service\navailability, information integrity, and confidentiality needed to maintain air traffic safety and\nefficiency.\n\nThe third key aspect of the ATO operating environment is the use of authorized communications\ngateways and Internet Access Points (IAPs) to provide boundary protection between the NAS and\nMission Support and Administrative environments and external network infrastructures. Additionally,\nAppendix. Agency Comments\n\x0c                                                                                                        23\n\n\n\nspecialized system communications gateways, such as the ARTS Gateway (AGW), provide boundary\nprotection between NAS systems and other non-NAS systems [e.g., the ARTS and National Offload\nProgram (NOP)].\n\nThe ATO operating environment was specifically architected to separate the NAS environment from\nthe Mission Support/Administrative environment because NAS systems provide safety critical ATC\nservices. NAS systems operate on a physically separate network infrastructure from all other FAA\nsystems in order to maintain a higher service assurance level and minimize risk. Any disruption to a\n\nNAS system may cause impacts to safety and efficiency. Even short-term system outages cause\nripples throughout the NAS that may result in significant adverse impacts in terms of extra fuel\nconsumed and time delays. Because of safety and economic factors, the primary consideration in\nconducting security testing of NAS operational systems is to ensure that NAS services are not\ninterrupted.\n\nIn order to maintain NAS safety and efficiency, and continue to provide the NAS operating\nenvironment with a high level of information assurance, ATO has taken several steps during the past\nthree years to enhance its security testing methodology, and to provide enhanced test methodology\ntraining to Independent Risk Assessment Team (IRAT) personnel, which is described in the following\nparagraphs.\n\nSince fiscal year (FY) 2007, the ATO has enhanced the process for testing critical ATC systems at\nNAS operational sites by conducting observation and demonstration testing of implemented security\ncontrols. With the implementation of NIST 800-53A, greater use of examination and testing will be\nneeded. For most NAS systems, the stringent implementation validation of all changes to systems is\nfully tested at the support centers William J Hughes Technical Center (WJHTC) and Mike Monroney\nAeronautical Center (MMAC) prior to releasing to the field. The formal process of releasing System\nSupport Modifications (SSM) for NAS Systems and creating an audit mechanism through the\nMaintenance Management System, allows the tracking of individual sites implementing planned\nupgrades and modification. For NAS systems, field personnel are implementing changes as directed\nthrough SSM issued for the system, otherwise system configurations seldom change.\n\nAs for conducting electronic security scan testing, it is a well known fact that even the use of non-\nintrusive security testing tools does occasionally cause various operating system failures or lock-ups.\nTherefore, ATO relies on greater observation and demonstration testing methods at the system\noperational sites, and conducts much of the security testing using replicas of fielded systems in the\nWJHTC or MMAC test environments.\n\nIn fielded operational sites, observation and demonstration consists of the FAA system specialist\ndemonstrating system security controls through presentation of \xe2\x80\x9cscreen shots\xe2\x80\x9d or printouts of system\nsecurity policies. Although demonstration and observation testing requires more time than system\nscanning, it significantly reduces the chances that testing will inadvertently \xe2\x80\x9cbring down\xe2\x80\x9d an\noperational NAS system. Additionally, demonstration and observation testing eliminates potential\n\xe2\x80\x9cfalse positives\xe2\x80\x9d that are encountered through the use of scan test tools. Part of the enhanced process\nmoving forward will be to perform extractions from the observation and demonstration testing (e.g.,\nprintouts) in order to better document testing results at the operational site. For fielded assets such as\nrouters, firewalls, managed switches, etc., greater use of extractions of configuration files and rules\nAppendix. Agency Comments\n\x0c                                                                                                       24\n\n\n\nare planned to validate against the version controlled releases of those files from WJHTC and\nMMAC, which would be tested in the support system environment.\n\nA key measure that ATO has undertaken is to conduct operational site security testing of new ATC\nsystems, prior to commencement of ATC operations. The full range of security tests, including scan\ntesting is conducted on the system at the operational site. This ensures that the system is tested in the\nexact operational site configuration. Examples of operational site testing included the Wide Area\nMonitoring System (WAM) and Operational and Supportability Implementation Systems. ATO will\n\ncontinue to conduct operational site testing using scan test tools on all new ATC systems as they\ncontinue to be deployed in the NAS.\n\nThe ATO also conducts security testing for legacy ATC systems using passive and active (e.g.,\npenetration testing) software tools on system at either the WJHTC or MMAC laboratories. The labs at\nWJHTC and MMAC also have the capability to be configured to represent a specific operational site.\nFor example, the WJHTC ATOP lab can be configured to the same operational site configuration as\nthe ATOP system deployed at New York, Oakland, and Anchorage.\n\nAdditionally, ATO conducts on-site testing of operational ATC mission support systems if there will\nbe no impact to operational ATC Systems. Some examples of ATC mission support systems tested\non-site include National Off-Load Program (NOP), CRU-X, CAEG, IAPs, LSSD, and\nSTARCASTER.\n\nMoving forward, the ATO will use a combination of all the methodologies listed above to continually\nassess ATC system security, while continuing to minimize the potential for adversely impacting air\ntraffic safety or efficiency.\n\nRisk Assessment Team personnel, both FAA and contractor, participated in the enhancement of the\nsystem security testing methodology and were trained as part of the development efforts. All new\nIRAT FAA personnel are trained on-the-job via shadowing techniques and study of risk assessment\nprocess documentation. New contractor personnel are required to have security risk assessment and\ntesting experience and are trained on the specific methodology via internal company training.\n\nOIG Recommendation 8: Increase oversight of the on-site review process to ensure that all security\ncontrol checks on the questionnaires are completed or properly justified if not reviewed.\n\nFAA Response: Concur. FAA has completed implementation of this recommendation. The ATO\nuses a questionnaire as part of the Risk Assessment on-site review process. The questionnaire\nconsists of NIST SP 800-53 rev2 security controls that address all 17 NIST 800-53 Security Control\nFamilies. Systems that have a FIPS-199 Security Categorization (SC) of Low, Moderate, or High are\nevaluated using the appropriate Low, Moderate, or High set of NIST 800-53 rev2 security controls\n(i.e., questionnaire). For example, a questionnaire that contains the \xe2\x80\x9cModerate\xe2\x80\x9d set of security\ncontrols will be used to assess a system with a \xe2\x80\x9cModerate\xe2\x80\x9d FIPS-199 SC. Questionnaires that contain\nthe \xe2\x80\x9cModerate\xe2\x80\x9d set of security controls consist of the Moderate and Low set of NIST 800-53 Security\nControls. Finally, questionnaires that contain the \xe2\x80\x9cLow\xe2\x80\x9d set of security controls consist of only the\nLow set of NIST 800-53 Security Controls.\n\n\nAppendix. Agency Comments\n\x0c                                                                                                      25\n\n\n\nDepending on their life cycle support, there are some NIST Security Control Families, and specific\ncontrols within Families, that are not applicable for conducting interviews of system technical\npersonnel. Implementation of some NIST Common Security Control Families, such as CA, may be\nthe sole responsibility of another FAA organization, such as FAA Headquarters or the System 2nd\nLevel Support Facility, and not the on-site system specialist. For example, questions in the CA\nFamily of NIST 800-53 Security Controls may be categorized as \xe2\x80\x9cCommon Controls\xe2\x80\x9d and are the\nresponsibility of FAA Headquarters organizations, not the responsibility of field site personnel.\n\nStarting in FY 2009 the ATO enhanced the on-site review process, in order to eliminate \xe2\x80\x9cblank\xe2\x80\x9d or\n\xe2\x80\x9cNA\xe2\x80\x9d questions that may result from on-site reviews. Enhancements include tailoring the\nquestionnaires to indicate whether a specific question (security control) is appropriate for use on site,\ndepending on the role(s) of the facility/site personnel. For example, field specialists that are not\nresponsible for issuing changes to a system\xe2\x80\x99s Technical Manual will be annotated as N/A for that site,\nand further annotated to indicate what organization is responsible or would be the source of the\ninformation being requested (e.g., WJHTC issues Technical Manual Revisions). The tailoring may\ninclude documenting on each specific question (security control) whether it applies, including the\nrationale. For example, some questions that are not applicable for on-site review, such as the CA\nfamily, are annotated \xe2\x80\x9cN/A Common Control,\xe2\x80\x9d and are not addressed during the on-site review. This\nenhanced process includes responses to all questions on the site survey form, and reduces the chance\nthat a question may not be addressed, and provides justification for focusing responses for specific\nquestions based on an individual's organization's role in developing and implementing security\ncontrols.\n\nS:\\\\ABU-100\\OIG GAO\\09-20 ATC Sys Sec revised final 9/2/09\n\n\n\n\nAppendix. Agency Comments\n\x0c"